Hi Auth0 team,
If a user clicks on the email verification link a second time, it should show that the email is already verified. Right now it shows the error message in the screen shot above and is confusing our users.
1 Like
We are also experiencing the same issue with some of our clients: they click on verification link once, email is verified, but they see an error. @nicolas_sabena @konrad.sopala any updates on the bug or any workarounds?
Given that it happens for many developers with different use cases, is it a bug in the Auth0 flow?
1 Like
I am also having this issue when providing new individuals with access. The click the link and get the error message but shows that their email is verified.
@konrad.sopala @stephanie.chamblee when Auth0 sends the email verification message during account creation, the verification link always redirects to the configured redirect url. Auth0 adds “email”, “success”, and “message” query string parameters to the redirect url indicating whether the operation was successful. This is ensures the user is never confronted with the Auth0 error page and enables the application to display custom messaging based on the status.
The issue seems to be occur when you use the “re-send verification email” option in the user “actions” menu. In this case the link behaves differently. It doesn’t redirect back to the application.
Its been a year with this “bug”, does anyone please has an idea if that is going on and how to fix it?
Same here. Our users are totally confused about this generic error message.
This makes the auth0 email verification workflow unusable.
@matt.macadam s this a known issue? Is there a fix on the roadmap for this? We have a lot of confused users. Would greatly appreciate this being prioritized.
2 Likes
It’s still happening for our users as well, which is very confusing to users.
2 Likes
Same thing is happening for me, seems to have started after switching to one of these possibly (unless I just haven’t noticed it before switching):
Custom domain/Using custom domains for all email links/New universal experience.
We don’t use a custom email provider/email templates yet.
We also have the same problem in the “Blocked account” email when clicking the link to unblock. The account is unblocked but I get an error message.
As said before, not a great user experience.
We are also experiencing this issue. It is highly confusing to users to get the Error - Email cannot be verified message, when the email is already verified. I see this has been happening for awhile. Is there any ETA on a fix? @nicolas_sabena @alonza.spain
I was getting this message for a while and after some changes, I’m now just getting invalid_grant (Invalid authorization code). The query in the URL I’m getting however does say “?supportSignUp=true&supportForgotPassword=true&message=Your%20email%20was%20verified.%20You%20can%20continue%20using%20the%20application.&success=true&code=success#”
Hi,
we have the same issue here.
The workaround of deleting the “Redirect To” attribute in the email template doesn’t work.
To summarize:
Clicking the link in the first verification email works normally (success message displayed).
Clicking the link in an email received after calling the management API displays “Error, Your email address could not be verified.” even though the email is correctly verified and subsequent logins work normally.
If someone from Auth0 could contact me, I have all the reproduction information available.
Thanks a lot
I’m not sure if this is what is causing your problem, but from what I can see, it seems that some email service providers/servers will scan/open all links in an email as a security measure before delivering it to the user’s inbox.
Initially I thought Amazon SES was scanning/opening the links while delivering the emails, but it turns out that it was actually my email service provider.
The reason some of your users see this problem, is because the 1-time use link has already been opened and used by the user’s email service provider.
Not all email service providers do this, so that’s why the problem is intermitted.
I think the most developer-friendly option would be for Auth0 to require additional steps from the user as opposed to just visiting the link. Something as simple as requiring the user to click a button to finish the process would probably work. Additionally, they could probably implement some form of Captcha functionality to truly prevent any form of non-human from being able to complete the process.
For additional reading on this topic, visit this link: authentication - Do mail servers follow links in emails as part of a security scan before inbox delivery? - Information Security Stack Exchange
P.s. Based on the article I linked above, I’m guess this problem probably affects the Passwordless Login emails as well.
3 Likes
We noticed this issue for our users. We also noticed that the Email verification IP and login IP were different. For internal users we noticed that the email verification IP was indeed the IP of our email servers and have all but confirmed that our company’s email scanning is accessing this link.
Adding some captcha or otherwise detecting human vs robot access should be very straightforward and resolve this issue.
3 Likes
I’m facing this issue as well and was wondering whether anybody’s found a good solution?
no solution to this yet?
How’s this for a workaround?
- Backend creates a UUID → email mapping
- Magic link is replaced by mybackend.com/redirect?path=foo.com/bar&verify-email-uuid=123
- Backend looks up the email and manually verifies and then returns a redirect 302 to foo.com/bar
